From: Guenter Roeck <linux@roeck-us.net>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Oleg Nesterov <oleg@redhat.com>, Eric Paris <eparis@redhat.com>,
Kees Cook <keescook@chromium.org>,
Serge Hallyn <serge@hallyn.com>, Jann Horn <jannh@google.com>,
Christian Brauner <christian.brauner@ubuntu.com>
Subject: Re: [PATCH 4.14 20/65] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
Date: Thu, 23 Jan 2020 15:01:29 -0800 [thread overview]
Message-ID: <20200123230129.GA3737@roeck-us.net> (raw)
In-Reply-To: <20200122092754.007578340@linuxfoundation.org>
On Wed, Jan 22, 2020 at 10:29:05AM +0100, Greg Kroah-Hartman wrote:
> From: Christian Brauner <christian.brauner@ubuntu.com>
>
> commit 6b3ad6649a4c75504edeba242d3fd36b3096a57f upstream.
>
> Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
> introduced the ability to opt out of audit messages for accesses to various
> proc files since they are not violations of policy. While doing so it
> somehow switched the check from ns_capable() to
> has_ns_capability{_noaudit}(). That means it switched from checking the
> subjective credentials of the task to using the objective credentials. This
> is wrong since. ptrace_has_cap() is currently only used in
> ptrace_may_access() And is used to check whether the calling task (subject)
> has the CAP_SYS_PTRACE capability in the provided user namespace to operate
> on the target task (object). According to the cred.h comments this would
> mean the subjective credentials of the calling task need to be used.
> This switches ptrace_has_cap() to use security_capable(). Because we only
> call ptrace_has_cap() in ptrace_may_access() and in there we already have a
> stable reference to the calling task's creds under rcu_read_lock() there's
> no need to go through another series of dereferences and rcu locking done
> in ns_capable{_noaudit}().
>
> As one example where this might be particularly problematic, Jann pointed
> out that in combination with the upcoming IORING_OP_OPENAT feature, this
> bug might allow unprivileged users to bypass the capability checks while
> asynchronously opening files like /proc/*/mem, because the capability
> checks for this would be performed against kernel credentials.
>
> To illustrate on the former point about this being exploitable: When
> io_uring creates a new context it records the subjective credentials of the
> caller. Later on, when it starts to do work it creates a kernel thread and
> registers a callback. The callback runs with kernel creds for
> ktask->real_cred and ktask->cred. To prevent this from becoming a
> full-blown 0-day io_uring will call override_cred() and override
> ktask->cred with the subjective credentials of the creator of the io_uring
> instance. With ptrace_has_cap() currently looking at ktask->real_cred this
> override will be ineffective and the caller will be able to open arbitray
> proc files as mentioned above.
> Luckily, this is currently not exploitable but will turn into a 0-day once
> IORING_OP_OPENAT{2} land in v5.6. Fix it now!
>
> Cc: Oleg Nesterov <oleg@redhat.com>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: stable@vger.kernel.org
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
> Reviewed-by: Jann Horn <jannh@google.com>
> Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ---
> kernel/ptrace.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -258,12 +258,17 @@ static int ptrace_check_attach(struct ta
> return ret;
> }
>
> -static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
> +static bool ptrace_has_cap(const struct cred *cred, struct user_namespace *ns,
> + unsigned int mode)
> {
> + int ret;
> +
> if (mode & PTRACE_MODE_NOAUDIT)
> - return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
> + ret = security_capable(cred, ns, CAP_SYS_PTRACE);
> else
> - return has_ns_capability(current, ns, CAP_SYS_PTRACE);
> + ret = security_capable(cred, ns, CAP_SYS_PTRACE);
> +
> + return ret == 0;
This results in
if (condition)
do_something;
else
do_the_same;
Is that really correct ? The upstream patch calls security_capable()
with additional CAP_OPT_NOAUDIT vs. CAP_OPT_NONE parameter, which does
make sense. But I don't really see the benefit of the change above.
Guenter
next prev parent reply other threads:[~2020-01-23 23:01 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 9:28 [PATCH 4.14 00/65] 4.14.167-stable review Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 01/65] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 02/65] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 03/65] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 04/65] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 05/65] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 06/65] block: fix an integer overflow in logical block size Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 07/65] ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 08/65] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 09/65] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 10/65] USB: serial: option: Add support for Quectel RM500Q Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 11/65] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 12/65] USB: serial: option: add support for Quectel RM500Q in QDL mode Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 13/65] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 14/65] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 15/65] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 16/65] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 17/65] USB: serial: quatech2: " Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 18/65] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 19/65] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 20/65] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Greg Kroah-Hartman
2020-01-23 23:01 ` Guenter Roeck [this message]
2020-01-24 7:38 ` Greg Kroah-Hartman
2020-04-20 14:15 ` Ben Hutchings
2020-01-22 9:29 ` [PATCH 4.14 21/65] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 22/65] x86/resctrl: Fix an imbalance in domain_remove_cpu() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 23/65] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 24/65] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 25/65] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 26/65] mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 27/65] btrfs: fix memory leak in qgroup accounting Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 28/65] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 29/65] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 30/65] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 31/65] USB: serial: io_edgeport: use irqsave() in USBs complete callback Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 32/65] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 33/65] mm/huge_memory.c: make __thp_get_unmapped_area static Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 34/65] mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 35/65] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 36/65] cfg80211: fix page refcount issue in A-MSDU decap Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 37/65] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 38/65] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 39/65] NFC: pn533: fix bulk-message timeout Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 40/65] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 41/65] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 42/65] hv_netvsc: Fix memory leak when removing rndis device Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 43/65] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 44/65] net: hns: fix soft lockup when there is not enough memory Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 45/65] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 46/65] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 47/65] ptp: free ptp device pin descriptors properly Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 48/65] r8152: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 49/65] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 50/65] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 51/65] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 52/65] arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 53/65] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 54/65] tick/sched: Annotate lockless access to last_jiffies_update Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 55/65] Revert "arm64: dts: juno: add dma-ranges property" Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 56/65] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 57/65] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 58/65] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 59/65] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 60/65] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 61/65] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 62/65] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 63/65] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 64/65] perf probe: Fix wrong address verification Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 65/65] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
2020-01-22 14:39 ` [PATCH 4.14 00/65] 4.14.167-stable review Naresh Kamboju
2020-01-22 14:58 ` Jon Hunter
2020-01-22 19:00 ` Guenter Roeck
2020-01-22 20:53 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200123230129.GA3737@roeck-us.net \
--to=linux@roeck-us.net \
--cc=christian.brauner@ubuntu.com \
--cc=eparis@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).